formats icon indicating copy to clipboard operation
formats copied to clipboard
verified publisher icon RustCrypto

x509-cert: Non-Repudiation set by default in builder

Open zkonge opened this issue 2 years ago • 2 comments

https://github.com/RustCrypto/formats/blob/fdb711e56e8139c57284ce06329033e467c5a0c4/x509-cert/src/builder.rs#L199

Is there any special reason to enable it by default?

I understand that the ETSI advises against combining the Non-Repudiation and other key usages.

In section 4.3.2 Key usage https://www.etsi.org/deliver/etsi_en/319400_319499/31941202/02.03.00_20/en_31941202v020300a.pdf

zkonge avatar Dec 14 '23 22:12 zkonge

I was not aware of the ETSI document. I believe I went with the RFC5280 at the time:

For example, when an RSA key should be used only to verify signatures on
objects other than public key certificates and CRLs, the
digitalSignature and/or nonRepudiation bits would be asserted.

https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3

I didn't see harm in putting it. That was a mistake.

I guess the Profile::Leaf should be further qualified to include the A/C/E types from the ETSI:

NAT-4.3.2-1: The key usage extension shall be present and shall contain one (and only one) of the key usage settings
defined in table 1 (A, B, C, D, E or F). Type A, C or E should be used to avoid mixed usage of keys.

baloo avatar Jan 02 '24 23:01 baloo

@zkonge I published https://github.com/RustCrypto/formats/pull/1306 to fix this, if you could take a look, that would be appreciated.

baloo avatar Jan 05 '24 05:01 baloo